Fix 0x0000078F Authentication Firewall Logon Failure
This error means Windows is blocking remote logons through Kerberos due to authentication firewall rules. The fix is straightforward.
Yeah, this one's frustrating. You try to remote into a machine, get the 0x0000078F error about an authentication firewall, and you're stuck. I've been there with clients who just need to get their work done. Let's cut to the chase.
The Quick Fix: Disable the Authentication Firewall
This error comes up when Windows blocks Kerberos authentication at the firewall level. On the target machine (the one you're trying to log into), open an elevated PowerShell prompt — right-click PowerShell, Run as Administrator. Then run this:
Set-NetFirewallRule -DisplayGroup "Windows Remote Management" -Enabled TrueThat enables WinRM firewall rules. But the real fix is often more specific. If you're using Remote Desktop or any service relying on Kerberos, the authentication firewall may be blocking it. Go to Windows Firewall with Advanced Security, find the rule "Remote Desktop - User Mode (TCP-In)" for your network profile (Private/Public), and make sure it's enabled. Also check that the rule's Scope allows your source IP under Remote IP addresses.
If that doesn't work, try this — I've seen it fix the issue in minutes:
netsh advfirewall firewall set rule group="remote desktop" new enable=YesHad a client last month whose entire Remote Desktop setup died because this one rule was disabled by a Group Policy update. Ran that command, and they were back in business immediately.
Why This Happens
Windows has a feature called the authentication firewall. It's designed to prevent unauthenticated network traffic from reaching services that require Kerberos or NTLM. When your machine tries to log into a remote server, Kerberos sends a ticket — but if the firewall doesn't allow the traffic through (or the rule is misconfigured), you get 0x0000078F.
This is common when:
- You're joining a domain machine to a domain across a firewall.
- Your remote server got a Group Policy update that flipped a firewall rule off.
- You're using VPN and the firewall profile switched from Domain to Private.
Less Common Variations
1. Kerberos UDP blocked
Sometimes it's not the firewall rule itself — it's that Kerberos uses UDP port 88 for authentication. If your network blocks UDP 88, you'll see this error. Fix: enable inbound UDP 88 on the remote machine's firewall, or configure Kerberos to use TCP only (not recommended, but it's a workaround).
2. Group Policy overriding local rules
In a domain environment, Group Policy might be disabling the Remote Desktop firewall rule. Check gpedit.msc or rsop.msc under Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security. If a policy says "Not configured" but a rule is disabled, the policy is overriding. You'll need to talk to your admin to adjust the GPO.
3. Third-party firewall
If you're running something like McAfee, Symantec, or even a managed firewall service, that can block Kerberos. I've seen a client's Cisco ASA kill Remote Desktop logons because it dropped Kerberos tickets. Check your third-party firewall logs for dropped packets on port 88 or 445.
Prevention: Lock It Down Right
Once you've got it working, don't just leave the firewall wide open. Here's what I tell my clients:
- Scope it. In the firewall rule's Properties -> Scope, allow only specific IPs or subnets that need remote access. Don't leave it on "Any".
- Use domain profiles. If the machine is on a domain, set the firewall profile to Domain. That way, rules are only applied when connected to the corporate network.
- Audit GPO changes. Track when Group Policy is updated. Most of my calls come after someone changed a security baseline without testing.
And if you're setting up a new server, always test remote logon from two different machines before rolling it out. It'll save you from that panic call later.
Was this solution helpful?